From: Justin Tee <justintee8345@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: jsmart2021@gmail.com, justin.tee@broadcom.com,
Justin Tee <justintee8345@gmail.com>
Subject: [PATCH 3/8] lpfc: Validate hdwq pointers before dereferencing in reset/errata paths
Date: Fri, 26 Jul 2024 16:15:07 -0700 [thread overview]
Message-ID: <20240726231512.92867-4-justintee8345@gmail.com> (raw)
In-Reply-To: <20240726231512.92867-1-justintee8345@gmail.com>
When the HBA is undergoing a reset or is handling an errata event, NULL ptr
dereference crashes may occur in routines such as lpfc_sli_flush_io_rings,
lpfc_dev_loss_tmo_callbk, or lpfc_abort_handler.
Add NULL ptr checks before dereferencing hdwq pointers that may have been
freed due to operations colliding with a reset or errata event handler.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++-
drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++--
drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 6943f6c6395c..f21c5993e8d7 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -175,7 +175,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport)
ndlp->nlp_state, ndlp->fc4_xpt_flags);
/* Don't schedule a worker thread event if the vport is going down. */
- if (test_bit(FC_UNLOADING, &vport->load_flag)) {
+ if (test_bit(FC_UNLOADING, &vport->load_flag) ||
+ !test_bit(HBA_SETUP, &phba->hba_flag)) {
spin_lock_irqsave(&ndlp->lock, iflags);
ndlp->rport = NULL;
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 98ce9d97a225..60cd60ebff38 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -5555,11 +5555,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmnd)
iocb = &lpfc_cmd->cur_iocbq;
if (phba->sli_rev == LPFC_SLI_REV4) {
- pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
- if (!pring_s4) {
+ /* if the io_wq & pring are gone, the port was reset. */
+ if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq ||
+ !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) {
+ lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP,
+ "2877 SCSI Layer I/O Abort Request "
+ "IO CMPL Status x%x ID %d LUN %llu "
+ "HBA_SETUP %d\n", FAILED,
+ cmnd->device->id,
+ (u64)cmnd->device->lun,
+ test_bit(HBA_SETUP, &phba->hba_flag));
ret = FAILED;
goto out_unlock_hba;
}
+ pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
spin_lock(&pring_s4->ring_lock);
}
/* the command is in process of being cancelled */
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index d240bbded4c8..332b8d2348e9 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -4687,6 +4687,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba *phba)
/* Look on all the FCP Rings for the iotag */
if (phba->sli_rev >= LPFC_SLI_REV4) {
for (i = 0; i < phba->cfg_hdw_queue; i++) {
+ if (!phba->sli4_hba.hdwq ||
+ !phba->sli4_hba.hdwq[i].io_wq) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+ "7777 hdwq's deleted %lx "
+ "%lx %x %x\n",
+ phba->pport->load_flag,
+ phba->hba_flag,
+ phba->link_state,
+ phba->sli.sli_flag);
+ return;
+ }
pring = phba->sli4_hba.hdwq[i].io_wq->pring;
spin_lock_irq(&pring->ring_lock);
--
2.38.0
next prev parent reply other threads:[~2024-07-26 23:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-26 23:15 [PATCH 0/8] Update lpfc to revision 14.4.0.4 Justin Tee
2024-07-26 23:15 ` [PATCH 1/8] lpfc: Change diagnostic log flag during receipt of unknown ELS cmds Justin Tee
2024-07-26 23:15 ` [PATCH 2/8] lpfc: Remove redundant vport assignment when building an abort request Justin Tee
2024-07-26 23:15 ` Justin Tee [this message]
2024-07-26 23:15 ` [PATCH 4/8] lpfc: Fix unintentional double clearing of vmid_flag Justin Tee
2024-07-26 23:15 ` [PATCH 5/8] lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology Justin Tee
2024-07-26 23:15 ` [PATCH 6/8] lpfc: Update PRLO handling " Justin Tee
2024-07-26 23:15 ` [PATCH 7/8] lpfc: Update lpfc version to 14.4.0.4 Justin Tee
2024-07-26 23:15 ` [PATCH 8/8] lpfc: Copyright updates for 14.4.0.4 patches Justin Tee
2024-08-03 1:50 ` [PATCH 0/8] Update lpfc to revision 14.4.0.4 Martin K. Petersen
2024-08-05 21:17 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240726231512.92867-4-justintee8345@gmail.com \
--to=justintee8345@gmail.com \
--cc=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox